Reporting Requirement

Agreement was reached this week between member states of the EU and the European Parliament, in response to growing concerns at the number of cyberattacks and the increasing dependence of many critical businesses and industries on IT infrastructure.

“The European Parliament and the Luxembourg Presidency of the EU Council of Ministers last night reached an agreement on the rules,” said the European Commission. It said the new laws will “improve cybersecurity capabilities in Member States” and “improve Member States’ cooperation on cybersecurity.”

But the new law is notable because it “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.”

This means that firms such as Google, Amazon and Microsoft have been classified as an essential service provider, alongside the likes of energy, banking, healthcare and transport companies, and will be required to report any attacks or breaches.

“Trust and security are the very foundations of a Digital Single Market,” said Andrus Ansip, European Commission VP for the Digital Single Market. “If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure.”

“The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe,” said Ansip. “This is why we need EU-wide cybersecurity solutions. Last night’s agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services.”

“The agreement constitutes a major step in improving the resilience of our network and information systems in Europe,” said Günther H. Oettinger, Commissioner for the Digital Economy and Society. “Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks.”

2017 Deadline

The next step will see the text of this political agreement formally approved by the European Parliament and the Council.

After that it will be published in the EU Official Journal and will officially enter into European law.

Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.

And some experts have warned that businesses need to fully understand the implications of this new law.

“The key obligations emerging from this directive will be that “operators of essential services” will have to take “appropriate security measures” and to notify serious incidents to the relevant national authority,” said Andrew Rogoyski, Head of Cyber Security, CGI.

“Organisations will need to be able to demonstrate that they have taken ‘appropriate security measures’,” he added. “This will be judged according to the individual company but, it is safe to say, many organisations currently do not take appropriate measures.”

Rogoyski expects the visibility of breaches will increase, which will in turn drive public concern over the safety of online systems and whether a company can be trusted with sensitive information by users.

“The NISD is going to significantly increase the focus on cybersecurity at board level – the obligation to publicly declare a breach will send shivers up the spines of CEOs everywhere,” Rogoyski warned. “The NISD has huge implications for cybersecurity now that whole new sectors will be obliged to declare their breaches.”

“Who wants to be the first company to have to disclose a breach under this new law, especially if the subsequent GDPR imposes a fine of 5 percent global revenue?” he warned.